h4sh3m Posted January 19, 2018 Posted January 19, 2018 Hi Maybe help someone to create custom loaders ! BR, h4sh3m x64_Simple_Loader_Delphi.rar 3 5
GautamGreat Posted January 31, 2018 Posted January 31, 2018 Hi, Instead of using this function, we can't grab imagebase from PEB? Actually I don't have a x64 system at this time. function GetModuleImageBase(PID : NativeUInt; Module : string):NativeUInt; var ModuleSnap: THandle; ModuleEntry32: TModuleEntry32; More: Boolean; ImageBase: Pointer; s : string; begin Result := 0; try ModuleSnap := CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID); if ModuleSnap = NativeUInt(-1) then begin messagebox(0, 'Can''t Read Process Memory', 'Error', mb_iconerror); Exit; end; ModuleEntry32.dwSize := SizeOf(ModuleEntry32); More := Module32First(ModuleSnap, ModuleEntry32); while More do begin ImageBase := ModuleEntry32.modBaseAddr; s := extractfilename(StrPas(ModuleEntry32.szExePath)); s := LowerCase(s); if s = LowerCase(Module) then begin Result := integer(ImageBase); break; end; More := Module32Next(ModuleSnap, ModuleEntry32); end; finally CloseHandle(ModuleSnap); end; end;
h4sh3m Posted February 8, 2018 Author Posted February 8, 2018 (edited) Hi @GautamGreat, As I said this is simple loader, You can do this with PEB but I'm not tested it ! BR, h4sh3m Edited May 31, 2020 by h4sh3m
xxx22xxx Posted June 10, 2018 Posted June 10, 2018 (edited) @h4sh3m by compiling your loader i get error if i comment this i get next error Edited June 10, 2018 by xxx22xxx
h4sh3m Posted June 10, 2018 Author Posted June 10, 2018 (edited) Hi Which compiler you're using, with this code you can't patch x64 target via x86 loader?! After all you can change "CreateProcess" -> "CreateProcessW" and "w : DWORD" -> "w : NativeUInt". Best Regards, h4sh3m Edited June 10, 2018 by h4sh3m
xxx22xxx Posted June 10, 2018 Posted June 10, 2018 @h4sh3m Thanks already solved it , i have used Delphi 7 Lite Full Edition now have installed Rad Studio XE2 and it work ! but have a question , this laoder will be work example to patch Adobe x64 bit soft? or it will not work like say GautamGreat ??
h4sh3m Posted June 10, 2018 Author Posted June 10, 2018 If you patch right place it will work It's depends on you (and/or your target), if your target protected maybe it will fail because of several reasons like: detecting debugger(I'm not sure used debug flag or not but some protectors (and some handy way ) checks parent process to detect !), memory protection(checksum), ... you can use proxy method too for this purpose .
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now